Ransomware actors and cryptocurrency scammers have joined nation-state actors in abusing cloud mining services to launder digital assets, new findings reveal.
“Crypto-currency mining is an important part of our industry, but it also has a special appeal for bad actors, as it provides a means to earn money with a completely clean, on-chain native source,” blockchain analytics company Chainalysis said in a report shared with The Hacker News.
Earlier this March, Google Mandiant disclosed North Korea-based use of hash rental and cloud mining service APT43 to obfuscate forensic tracks and clean up stolen cryptocurrency.
Cloud mining service allows users to rent computer systems and use the computer’s hash power to mine cryptocurrencies without having to manage mining hardware themselves.
But according to Chainalysis, it’s not just hacking crews from countries that make use of such services in the wild.
In one instance highlighted by the company, mining pools and wallets linked to ransomware actors have been used to send funds to a “highly active deposit address” on an unnamed mainstream crypto exchange.
This includes $19.1 million from four ransomware wallet addresses and $14.1 million from three mining pools, with most of the funds routed through a network of wallets and intermediary pools.
“In this scenario, the mining pool acts similar to a mixer in that it obscures the origin of the funds and creates the illusion that the funds are coming from mining, not from ransomware,” notes Chainalysis.
In a sign that the trend is gaining traction, the cumulative value of assets sent from ransomware wallets to exchanges via mining pools has jumped from less than $10,000 in Q1 2018 to nearly $50 million in Q1 2023.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
Not only that. A total of 372 exchange deposit addresses have been found to receive at least $1 million of cryptocurrency from mining pools and any number of ransomware addresses since January 2018.
“Overall, the data suggests that mining pools may play a key role in the money laundering strategies of many ransomware actors,” said Chainalysis.
Mining pools also have a place in the playbook of such scam operators BitClub Networkwho were found mixing their illegal Bitcoin proceeds with assets received from Bitcoin mining operations based in Russia and BTC-e, a crypto exchange set up to facilitate the laundering of money stolen in the infamous Mt.Gox hack.
“Crypto fraudsters and money launderers working on their behalf also use mining pools as part of their money laundering process,” the company said. “Deposit addresses (with receipt of at least $1 million worth of crypto from mining pools) have received less than $1.1 billion worth of cryptocurrency from fraud-related addresses since 2018.”